Skip to main content

Overview

EKS clusters in Kube Starter Kit are configured with private API endpoints by default for security. This means you can’t access the Kubernetes API directly from the internet; you need to go through the bastion host using a SOCKS5 proxy. This page covers:
  • Setting up SSH over AWS SSM Session Manager
  • Connecting to the cluster via SOCKS proxy
  • Configuring kubectl for persistent proxy access
If you prefer simpler access, you can enable the public API endpoint by setting endpoint_public_access = true in the EKS configuration (see Deploy Infrastructure - EKS Cluster). With a public endpoint, you can run aws eks update-kubeconfig and use kubectl directly without a proxy. However, this exposes your Kubernetes API to the internet, while still protected by IAM authentication, it increases your attack surface and may not meet compliance requirements.

Architecture

The bastion host:
  • Lives in a private subnet (no public IP)
  • Uses AWS SSM Session Manager for access (no SSH keys to manage)
  • Acts as a SOCKS5 proxy for kubectl traffic

One-Time Setup

If you haven’t already, run mise install to install the required tools (AWS CLI, Session Manager plugin, kubectl).

Configure SSH for SSM

Add the SSM proxy configuration to your SSH config:
Add this to ~/.ssh/config:
This allows SSH to instances via SSM using the instance ID as the hostname.

Connect to the Cluster

1

Authenticate to AWS

Start a Leapp session for the target account:
Verify authentication:
2

Update kubeconfig

Get the cluster credentials:
Or manually:
3

Start the SOCKS proxy

In a separate terminal (with the same Leapp session active), start the proxy:
This automatically looks up the bastion instance and starts a SOCKS5 proxy on localhost:1080. Keep this terminal open while accessing the cluster.
The task automatically pushes your SSH public key via EC2 Instance Connect (valid for 60 seconds) before establishing the SSH tunnel.
4

Use kubectl with the proxy

Option A: Per-command (temporary)
Option B: Update kubeconfig (persistent)
Now kubectl commands work without the environment variable:

Configure Persistent Access

To avoid passing the proxy URL each time, configure it in your kubeconfig:
Set the proxy for a specific cluster context:
This modifies ~/.kube/config to include the proxy URL for that cluster.

Production Access

The same process applies to production:
For production access, consider implementing additional access controls:
  • Require MFA for SSM sessions
  • Use AWS CloudTrail to audit access
  • Implement just-in-time access with temporary permissions

Next Steps

With cluster access configured, proceed to Deploy Kubernetes Baseline to bootstrap ArgoCD and deploy infrastructure components.